Encrypt Your Dropbox Using TrueCrypt

If your Dropbox contains sensitive files, you might want to encrypt it for protection in the event your laptop is stolen. If you’re already running BitLocker or some other form of full-disk encryption, then you probably don’t need to worry about this. Otherwise, a free piece of software called TrueCrypt can help.

TrueCrypt works by creating an encrypted file on your hard disk that will act as a container for your sensitive documents. The encryption is based on a password you provide. To access the contents, you “mount” the container file, which makes it show up as a new drive letter on your computer. At that point you can create directories, and read and write files, just like you would with a USB key.

If all this sounds complicated, just think of !TrueCrypt like a password-protected USB key.

This page describes how to move your Dropbox folder to an encrypted TrueCrypt volume. The steps are for Windows XP, but I’ve included some notes for Windows 7.

Instructions

Install TrueCrypt and create a new encrypted file container.

Download TrueCrypt and run the installer. This guide was created using version 7.0a, but you’ll want to grab the latest.

Once it’s installed, run TrueCrypt and click Create Volume.

Choose Create an encrypted file container and click Next.

Choose Standard TrueCrypt volume and click Next.

Click Select File then specify a new filename for the container. Click Next.

Click Next again to accept the default encryption settings.

Specify the volume size and click Next.

It must be big enough to store all of the Dropbox files that you will sync to this computer. You can also store non-Dropbox files in this container if you want, to encrypt but not sync them.

You won’t be able to easily resize it later, so make sure to give yourself adequate space for new files.

If hard disk space is a constraint, you can make it smaller than your Dropbox account and use the Selective Sync feature to only store a portion of your Dropbox on this computer.

Provide a password which will be used for encryption and click Next.

We’re going to set things up so that you’ll need to enter this password every time you log into Windows in order to gain access to your sensitive files.

It’s important you don’t forget your password; if you do, you will lose access to the files stored in the container and also permanently lose any local changes you’ve made that haven’t yet been synced up to Dropbox.

Longer passwords are more secure than shorter ones. If you pick a password that’s only a few characters long and your computer gets stolen by someone who knows what they’re doing, it will be trivial for them to crack it and gain access to your files. You can combine a short password with a Keyfile to increase security, or use a Smart Card.

Pick the NTFS filesystem, move the mouse around the window for a moment, then click Next.<

Right click the Dropbox icon in the system tray and click Preferences.

Click the Advanced tab, then under Dropbox location click Change and select the virtual drive that was created in the previous section (e.g. F:\).

Click OK and wait for the move to complete.

The current version of Dropbox (1.0.20) enforces that the folder be called “Dropbox”. Advanced users can use the pyDropboxPath tool to manually change the folder name if desired.

Delay Dropbox startup until after the volume is mounted.

If Dropbox runs before the encrypted drive is mounted, it will complain that it can’t find your Dropbox folder. We need to turn off the “run at startup” feature, then create a login script that waits for the drive to become available before starting the program.

In your Dropbox preferences, click the General tab, then turn off the checkmark beside Start Dropbox on system startup.

Create a new text file called bootup.bat somewhere on your C: drive.<

If file extensions are hidden by Explorer, you may need to turn them on to ensure the file gets the `.bat` extension rather than `.bat.txt`. (The option in Explorer is under Tools | Folder Options | View, then under Advanced Settings select Show hidden files, folders and drives).

Now reboot your computer. When you log on, you’ll see the bootup.bat window come up, with a !TrueCrypt dialog in front asking for your password. Once you provide it, the encrypted volume will be mounted and Dropbox will start.

If you won’t need access to the files for this logon session, you can instead hit Cancel and close the black bootup.bat window.

Always close Dropbox before you dismount the encrypted volume.

If you try to dismount while Dropbox is still running, !TrueCrypt will warn you. You’ll see a window that says Volume contains files or folders being used by applications or system. Force dismount?. You should click No, exit Dropbox, then try again.

Sensitive Dropbox configuration files (advanced)

There are a few sensitive files which Dropbox stores alongside the application. These include `config.db` (contains private keys that allow access to your Dropbox account), filecache.db (contains sync information about your files), etc. If your laptop is compromised, this information could be used to gain access to your account, or view portions of data (or at least metadata) from your files.

You can use DropboxPortableAHK to relocate the entire Dropbox application, including these files, to the encrypted drive. I tested this briefly (on XP) and at first glance it seems to work, but setup is beyond the scope of this article.

Another solution would be to move just the db files. I haven’t found a way to tell Dropbox to store these files in a different location, but you could move the files then create NTFS symbolic links to them in the original location. While not officially supported, a Dropbox staff member did suggest the idea some time ago in this thread. Vista and Win7 users should be able to create the symbolic links using the mklink command (though I didn’t test that).

In XP the situation is trickier. You can move an entire folder using the Junction utility, but unfortunately this would move the application files as well. That breaks the shell extension (which provides the overlay icons and context menu options in explorer), since Explorer doesn’t have access to the dll file when the volume isn’t mounted. Conceivably, you could relocate DropboxExt.14.dll (or DropboxExt64.14.dll for 64-bit) to another location, but it would involve changing registry entries under the appropriate CLSID’s and likely make updating the software more difficult.

Additional Information

Note that TrueCrypt also has a full-disk encryption feature, but this page is written for people who, for one reason or another, prefer not to use it.

You can use USBCrypt instead, as described here. The author includes a neat trick which lets you auto-start Dropbox when the drive is mounted.

I’m not sure the point of this considering your files on NOT encrypted on Dropbox when you follow this procedure, they are ONLY encrypted on the COMPUTER. All the files being uploaded to Dropbox are not encrypted and when accessed from any other device or if Dropbox got hacked would be easily readable.

Joe

I was thinking the same thing Tyler.

MO

I whould do the opposite of the guide
I mean, putting my encrypted coutainer into dropbox…
So the data stored on dropbox is encryped.
I wonder why dropboxwiki would not suggest this IYSWAM

Pete

Ditto, and have done it on my Mac. Only question I have is whether or not there are any issues that come up with having a volume within Dropbox when accessing from multiple computers. Do you just get the “xxx’s conflicted copy” message?

Tyler Whitney

I mean, I get in the beginning you say “If your Dropbox contains sensitive files, you might want to encrypt it for protection in the event your laptop is stolen.” my point is I would be more worried about somebody hacking Dropbox than my laptop getting stolen. I think its far more likely too.

I hope nobody is following this tutorial and thinking it would encrypt their data against dropbox.
Because this is not the case – if you want to show Dropbox and their servers only encrypted data, you need to
1) create a TC volume like “dropbox.tc”
2) move this volume to your dropbox folder
3) mount it and put all your stuff in it
4) unmount and let dropbox sync the file

http://adumont.serveblog.net/ Alexandre Dumont

Yes, in my opinion the article should clearly state that, in case people read it too fast a/o don’t realize that.

cronners

Many thanks for this article. I’ve tried it and it works as stated and suits my needs, i.e. providing some protection for data on a laptop/desktop if it is stolen. When I logon, the Trucrypt volume automounts and asks for the volume password. When entered, the volume mounts, and then dropbox loads and begins synchronisation. For the time being dropbox’s own security is good enough for me.

I decided against putting the Truecrypt volume inside the dropbox folder as it appears (as far as I can see) to cause potential problems with synchronisation conflicts, can take a long time to synchronise, and only synchronises when you dismount.

sconaty

Another option is http://safeboxapp.com. It also encrypts your content before it is synced to the cloud by Dropbox. However, unlike truecrypt it works at a file, rather than a drive volume, level. This makes Dropbox syncs quicker since only the impacted files needs to be uploaded/downloaded. Also, since it doesn’t use a virtual volume there is no awkward mounting and unmounting of the volume before Dropbox can sync it (disclaimer: I’m a member of the Safebox development team).

Skay

If you mount a file within your Dropbox account, does Dropbox have to re-update and upload the entire volume every time you change the contents? ie. the whole container file is updated not just a few files as is normally the case when using Dropbox. For example, if you had a word document within a 10gb container, change a few words and re-save would Dropbox upload an entirely new 10gb file?

Steep

Yes, I think it would. Since the container is only one file and this file has now been changed, dropbox would upload the entire file. The same thing goes for a TC container of 10 GB ONLY containing a 10 kB txt-doc (and nothing more). Change one letter, and you need to upload the entire 10 GB to dropbox.

zertyx

No, it doesn’t. Dropbox will only upload the changed part of the big file. I did this in the past using a Truecrypt volume within Dropbox. Now I use Boxcryptor, which encrypts each file separately and which is more convenient for mobile use (there is an app for Boxcryptor).

Waste

Thanks for wasting my time on this shit, seriously? what’s the point of all this if my files arn’t enncrypted on dropbox.com they are only encrypted on my computer…

MSG

The point is if you want to have your DropBox folder accessible only to you on a *particular* computer that other people have access to (not on all computers!). You can keep your DropBox files encrypted on that computer and only be accessible to you using your TrueCrypt volume credentials. The DropBox files will remain un-encrypted on other computers as well as on the DropBox site itself. To have your files encrypted directly on the DropBox site you will have to put an encrypted volume in your DropBox account and place every file you want to have encrypted inside that volume. My main reservation with this method is if you change one little file within the volume the entire volume (as one encrypted file) will have to be synchronized with DropBox and all other computers connected to DropBox and if the volume is 30GB that may take a while.

Thor

If you change just one little file in the truecrypt container, the DropBox sync algorithms will only transfer the changed blocks. The algorithms used between your other computers may not be as clever.

D-nnis

Considering that the files inside TrueCrypt are __NOT__ encrypted in Dropbox: Is this a misleading article!?